\begin{figure*}[t]
	\center
	\resizebox{\textwidth}{!}{\includegraphics{SecurityRules.png}}	
	\caption{Security Rules}
	\label{fig:rules}
   %\vspace{-0.5cm}
\end{figure*}

\subsection{Declarations \& Dynamic Security Rules}
\label{sec:StaticRules}
Security policies are defined on the abstract level on roles, actions and contexts, allowing the use of the same policies in different systems. \textsf{Declaration}s and \textsf{DynamicMappingRule}s link elements of security rules to target applications by defining a mapping between these elements and the application classes, instances and method calls. 

%\vspace{-0.5cm}
\subsubsection{Declarations}

define aliases for the application classes and methods to simplify referring to them in security rules instead of using fully qualified names. A \texttt{Declaration} (cf. Fig. \ref{fig:SpecificationLanguage}) is either a \texttt{ClassDeclaration} or an \texttt{Action\-Dec\-la\-ration}. A \texttt{Class\-Declaration} provides an alias for one application class and may optionally specify a list of the \texttt{Field}s of the class that are relevant to the enforcement of the security policy. This list improves system efficiency: only the updates of the relevant instance fields will be notified to the \textsc{Pdp}, as opposed to notifying the \textsc{Pdp} about changes of the value of every field of declared classes (see implementation details in Section~\ref{sec:Implementation}). An \texttt{ActionDeclaration} provides an alias for one of the application methods or for every method in a sequence of (nested) methods. Declarations indicate which parts of the application are \emph{relevant} to the security policy, therefore they are used by the \textsc{Pep} to filter information about changes in the application state that are being notified to the \textsc{Pdp}. 



